Uncategorized | David Goodwin

john the ripper on crypt passwords out of postfixadmin

This might help my future self :

SELECT username, password into outfile '/tmp/passwords.txt' fields terminated by ':' optionally enclosed by '' lines terminated by '\n' from mailbox where mailbox.active = 1;

and then :

john /tmp/passwords.txt ….

e.g.

root@mail:~# john /tmp/passwords.txt 
Created directory: /root/.john
Loaded 2327 password hashes with 2326 different salts (md5crypt [MD5 32/64 X2])
Press 'q' or Ctrl-C to abort, almost any other key for status
(vulnerablePassword) whoopsy@example.com

Arduino lights etc.

One day I’ll give up on the illusion that I actually might post something useful here.

Thanks to MonkeySailor. over Christmas I did had an Arduino and some lights.

But there are loads of tutorials for it (like: http://www.instructables.com/id/Arduino-Controlled-LED-Strip-Holiday-Lighting/ ) , so there’s no point in me trying to document it.

Perhaps it’s time for the shed to have some nice lighting. Or to investigate a Raspberry PI.

Lazy wordpress updating using wp-cli.phar

Fed up installing updates to WordPress sites? Stick this in a cron job somewhere, and cross your fingers (a little)…. Continue reading “Lazy wordpress updating using wp-cli.phar”

The spam and regular expressions

I think the spammers need some help with their regular expressions….

spammer regex fail

spam (policyd-weight + excommunicado)

1. See http://github.com/palepurple/policyd-weight – I’m trying to make some changes to policyd-weight (something I’ve been using for ages) to make it more configurable and add in a GeoIP patch which I’ve seen floating around.

2. See https://twitter.com/excommunicado and http://blog.hinterlands.org/2013/11/an-update-on-communicado/ – for a DNS Blacklist you might want to use – using excommunicado.co.uk as a RHSBL has stopped about 700 spammy emails for me already 🙂

3. See https://github.com/palepurple/policyd-dnsbl-spf-geoip – which should improve on policyd-weight which gave me problems with it’s helo checking etc. It’s easier to configure and hopefully far easier to read the sourcecode (still perl though ! ).

WordPress 3.6 is here….

And a new theme. Perhaps one day I’ll fix my twitter sync script.

In the mean time, there’s a bit on Solr on Pale Purple’s blog. along with SpamDyke to stop Qmail being overrun by spam.

Wanted: Developer with interesting skills…. oh, and it’s for the minimum wage… (Is this a joke?)

Recently on the Twitter the following (attached) image came up – presumably legit, of a job advert. Highlights below. It’s almost like someone cut and pasted two job postings together. The phone number does appear to be legit … so perhaps the advert itself is?

Continue reading “Wanted: Developer with interesting skills…. oh, and it’s for the minimum wage… (Is this a joke?)”

Weird Akismet behaviour with WordPress (incorrect spam identification)

One of my customers uses Akismet to protect his various blogs from the masses of spam.

Oddly torwards the end of last week, Akismet started to identify everything as spam, with no error message being returned on check of spam, and the admin dashboard showing the api key/akismet were happy.

I initially thought that perhaps Akismet was just having a bad day, and the problem would go away in a few hours/days time – but this hasn’t been the case. So today, I added in a WordPress plugin to debug the HTTP calls to Akismet to see if that would help identify the problem.

add_action( 'http_api_debug', '_custom_http_api_debug', 10, 5 );

function _custom_http_api_debug( $response, $type, $class, $args, $url ) {    
    error_log( 'Request URL: ' . var_export( $url, true ) );
    error_log( 'Request Args: ' . var_export( $args, true ) );
    error_log( 'Request Response : ' . var_export( $response, true ) );
}

i.e. for a message which was known to be spam :

http post to : http://xxxx.rest.akismet.com/1.1/comment-check
Response body of ‘true’ (HTTP 200 status code etc) (which is correct as per http://akismet.com/development/api/#comment-check )

However, what gave me an idea that something was amiss is that if an administrator attempted to mark an incorrectly tagged comment as ham, the following was seen –

Post to http://xxxxx.rest.akismet.com/1.1/submit-ham
Response body of ‘Invalid Key’

Normally when submitting ham to the above URL you’d see a response like :

“Thanks for making the web a better place.” (as per http://akismet.com/development/api/#submit-ham )

However wordpress was not displaying an error message to the administrator.

Changing the Akismet API keys involved on the sites appeared to fix the problem(s).

Stupid NFS (Debian Squeeze / Ubuntu Precise)

NFS really can be a major PITA. Our office network has been breaking all day.

This seemed to coincide with moving more of our computers to gigabit ethernet (removing the 100mbit CISCO 7960 phones which their network had been daisy-chained through – and seemed to cause intermittent packet loss)

Here are some tips for others unfortunate enough to use it with Debian Squeeze or Ubuntu Precise (12.04 LTS).

On Ubuntu NFS clients, you’ll probably want to use proto=tcp and specify a clientaddr=in the mount options (see the below fstab example). This is especially true if you’ve not got entries for the clients within your local DNS server. If you see ‘clientaddr=0.0.0.0’ and DNS resolution for your clients isn’t working, NFS will not work.
Don’t try using the nfs-kernel-server from squeeze-backports – as for some reason this causes portmap to be uninstalled, which (in my case) stops NIS from working.
Ensure you increase the number of NFS server processes – see /etc/default/nfs-kernel-server (on the server node).

orange:/home /home nfs4 defaults,noatime,proto=tcp,clientaddr=172.30.33.250 0 0

SpamAssassin ruleset to try and catch India based web development spam

At work we keep receiving emails from sales-droids in India who are trying to persuade us to outsource PHP/Android/Java/whatever development to them.

Here’s my first attempt at a spamassassin rule to neutralise it – in my case, copy into a something.cf file in /etc/spamassassin/mail, and running over a suitably loaded email results in :


Content preview:  Dear Sir / Madam, I just wanted to check if you had received
   my last mails sent. Haven't heard back from you, just wondering are you interested
   in our services? Let me know if you are interested then we can discuss this
   further. [...] 

Content analysis details:   (6.9 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
                            (globalseolinksourcing[at]gmail.com)
 0.0 DKIM_ADSP_CUSTOM_MED   No valid author signature, adsp_override is
                            CUSTOM_MED
 1.7 DEAR_SOMETHING         BODY: Contains 'Dear (something)'
 0.0 HTML_MESSAGE           BODY: HTML included in message
 5.0 LOCAL_INDIA_HITS       Web dev spam from India
 1.2 NML_ADSP_CUSTOM_MED    ADSP custom_med hit, and not from a mailing list

The spamassassin rule

(The intention is that the rule only fires if the email mentions India and at least 4 out of the other phrases (delhi, marketing, php etc)


# india based spam

body  __INDIA_01 /india/i
body  __INDIA_02 /delhi/i
body  __INDIA_03 /web services/i
body  __INDIA_04 /php/i
body  __INDIA_05 /java/i
body  __INDIA_06 /marketing/i
body  __INDIA_07 /website design/i
body  __INDIA_08 /dear sir/i

meta LOCAL_INDIA_HITS ( __INDIA_01  && ((  __INDIA_02 + __INDIA_03 + __INDIA_04 + __INDIA_05 + __INDIA_06 + __INDIA_07 + __INDIA_08 )) > 4)
describe LOCAL_INDIA_HITS Web dev spam from India
score LOCAL_INDIA_HITS 5.0